tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: where to put static files?
Date Mon, 21 Nov 2011 18:52:29 GMT

What we are trying to say is this :

The WEB-INF and META-INF sub-directories of a Tomcat webapp, are supposed to contain files

that should NOT be accessed by the users.  For example, in the WEB-INF and META-INF 
subdirectories, there are files (like WEB-INF/web.xml) which may contain private 
information (such as, e.g., passwords to access a database system).
For that reason, Tomcat itself forbids access to the content of these directories.
If you try to access Tomcat directly via a URL like 
"", you will get a "Forbidden" 
response. Always.

But if on the same host, you run another webserver (Apache, nginx,..), and you allow this

webserver to access the content of the Tomcat ../webapps/mywebapp/WEB-INF directory, then

you bypass the Tomcat security and make it useless.
That means that a user, with a well-crafted URL, will be able to access and display the 
content of those files.  This is a big security hole.
You can configure the front-end webserver to also forbid this, but it requires additional

configuration, and you will forget to do it, or do it wrong.
So don't do that.

If you have static resources that need to be accessed via links in your pages, put them in

a subdirectory of your webapp, but /not/ in WEB-INF or META-INF.
For example, in ../webapps/mywebapp/images/*.jpg or ../webapps/mywebapp/css/*.css

Tomcat will server static resources just fine, usually as fast as Apache or nginx would.

If you insist that you must serve this static content directly from the front-end 
webserver, and not ask Tomcat to do it, then place them somewhere under the DocumentRoot 
of the front-end webserver (which should /NOT/ be the same as the Tomcat webapps 
directory), and use the proxy instructions so that these requests are /not/ forwarded to 
Tomcat, but served locally.
For example :

ProxyPass /mywebapp/images !
ProxyPass /mywebapp/css !
ProxyPass /mywebapp ajp://tomcat:8009/mywebapp

will proxy all requests for /mywebapp to Tomcat, *except* for the /images and /css 

Jan Vávra wrote:
> Hello,
>  when I started my project others told me to use apache for static 
> content and tomcat for java/jsp.
> It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So 
> static content gives apache, dynamic tomcat.
> Jan.
>> I have a spring project (web app), in my project where should I be 
>> putting
>> my static files like images/css/javascript?
>> In my WEB-INF like:
>> /WEB-INF/Assets {images/css/js}
>> I know when I go in production I will have nginx map to this folder to
>> serve the static files, but I just want to know where I can put them for
>> development/testing.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message